All vendors requiring connectivity to servers or applications that reside on Secure Clinical Subnet (SCSN) must use a secure, authenticated, and encrypted mechanism that provides accountability for each connection event. All options require prior approval from the Health Information and Technology Services (HIT) Security Office.


To provide information for establishing Vendor connections to servers or applications that reside on the Secure Clinical Subnet (SCSN).


This procedure applies to all vendors who require VPN access.


The UVA Medical Center offers three methods that are approved for vendor VPN connections.

1. Add-vendor  

This option enables an authorized employee within the UVa Medical Center to generate passwords that allows the vendor VPN access for up to 24 hours at a time.

This type of VPN connection is best suited for:

  • Situations where support requests are initiated by the Medical Center to a vendor.
  • Situations where the vendor should not enter a system unless specifically asked to do so by a Medical Center sponsor.
  • Situations in which the specific individual on the vendor side is not known in advance, i.e., the Medical Center employee typically requests support though the vendor's help desk which then assigns staff as available.

2. Individually assigned Hardware and Software Tokens 

This option is best for on-site consultants and vendors that will need a Health System network account or other privileged accesses.

This type of VPN connection is best suited for:

  • smaller vendors
  • Vendors who need access to a system without first requiring authorization from a Medical Center sponsor.
  • VPN access is authorized to one particular vendor employee.

This type of VPN access requires annual confirmation from UVA Medical Center Management.

3. Site-To-Site 

This is an always-on (24 x 7 persistent) connection between the vendor and the Medical Center.  This type of connection is deemed reasonable only when automation is involved.


To request Vendor VPN access that best suits the Vendor’s Access requirements, please contact the HIT Security Office by emailing MCCSecurity@hscmail.mcc.virginia.edu.

Document Supporting Resources